by Morgan Littlewood
Fully featured Windows file system ACLs are well supported in TrueNAS 12.0 (CORE and Enterprise), but not generally supported by Linux. Thanks to some innovation, and sweat from the iXsystems engineering team, TrueNAS SCALE 21.08 now brings fine-grained Windows ACLs to Linux and ZFS. This allows SMB users to experience a more seamless transition to TrueNAS SCALE from Windows Server or TrueNAS 12.0 environments.
Some Background on Access Control Lists (ACLs)
Windows ACLs were developed back in the 1990s (Windows NT) and integrated into the operation of SMB (Server Message Block) for file sharing. Windows ACLs are more fine-grained and sophisticated than the traditional POSIX permissions which were used by the NFSv3 protocol and local access on UNIX servers. This initially presented significant administrative challenges for professionals who wanted to integrate their Unix servers in Windows environments.
NFSv4 ACLs were created to provide full interoperability between Windows ACLs and traditional UNIX and BSD systems. These ACLs, which TrueNAS users refer to as Windows or NFSv4 ACLs depending on the context, are used on TrueNAS CORE and Enterprise today. These NFSv4 ACLs were not natively supported by Linux.
Until now, Linux has natively supported POSIX.1e ACLs, which are a subset of what full NFSv4 (and Windows ACLs) can support. The practical result of this limitation was that administrators encountered issues migrating data from their Windows systems to Linux because the conversion from a Windows ACL to a POSIX.1e ACL was not always possible without losing potentially important ACL information.
iXsystems Develops a Windows-Linux ACL Compatibility for OpenZFS
The ability to support a rich and consistent ACL model between all methods of accessing data has proved elusive on the Linux platform. Now, this problem has been addressed by iXsystems and TrueNAS SCALE.
TrueNAS SCALE splits the horns of this administrative dilemma by bringing full ACL compatibility between Windows and Linux with NFSv4 ACLs on OpenZFS. iXsystems has developed this Linux kernel software innovation and released it back to the Open Source community.
With the release of TrueNAS SCALE 21.08 BETA, there is also a single WebUI page to edit Windows ACLs. This will greatly simplify NAS administration for many users and will enable the “sidegrade” of TrueNAS CORE systems to TrueNAS SCALE, for those users that want Linux containers or scale-out options.
The TrueNAS SCALE view of Windows ACLs
The integration of Windows ACLs was one of the remaining pieces for completion of TrueNAS SCALE Angelfish. TrueNAS SCALE 21.08 is planned to be the last BETA version and we look forward to getting community feedback and moving forward to the release of SCALE.
For the latest information on ACL best practices, please refer to the official TrueNAS documentation.
Below is some practical advice for the use of file system ACLs.
Why use ACLs?
The simplest answer for this is that they are a part of the SMB protocol. When an SMB client opens a file, it specifies the type of access it wants to it (SMB2 access mask). The server will evaluate the file’s permissions, and deny access if the requested access is not permitted for the user from the SMB session. Likewise, an SMB client may send requests to read or modify the on-disk ACL. Often an application that explicitly sets a particular ACL on a file will verify that the requested ACL was actually set. This means from the point of view of correctness and compatibility, ACLs should not be disabled for SMB shares.
What is the right ACL type to use on my TrueNAS SCALE server?
The topic of how to properly configure ACLs on an SMB share is multi-faceted, and depends on the existing environment. It should not be decided based on what appears to be simpler to understand.
Questions that should be considered are ones such as: “how do I migrate data to TrueNAS?”, “how do I back up data on TrueNAS?,” and “how do I plan to access the TrueNAS?”
Even though the new NFSv4 ACL support in TrueNAS SCALE provides the best possible compatibility with a Windows file system security model, it is not always the best choice for a given situation. The following situations may influence an administrator to choose POSIX.1e ACLs rather than NFSv4 ACLs for an SMB share:
- Working with third party backup products that do not support native NFSv4 ACLs
POSIX.1e ACLs have a long history on the Linux platform and many backup products (including rsync) that access the server outside of the SMB protocol will not be able to understand and preserve native NFSv4 ACLs. If this is the case, then the POSIX.1e ACL type must be selected to maintain compatibility with the backup product. Note: when making decisions about how you’re configuring ACLs, also take the extra time to verify that you can restore the permissions correctly from backups.
- TrueNAS is being used as a backup target for clients that use POSIX.1e ACLs
Many administrators take advantage of the tremendous safety and data protection that ZFS gives by making their TrueNAS server a target for file-based backups from computers on their networks. Just like mentioned above, POSIX.1e ACLs have a long history on Linux. There are many common file-based backup or synchronization tools that are POSIX.1e ACL aware, e.g. rsync. If you wish to preserve POSIX.1e ACLs from the client, then POSIX.1e ACLs are a requirement.
- ZFS replication to non-TrueNAS ZFS on Linux
If the SMB dataset is replicated to another non-TrueNAS ZFS-on-Linux server, and this server is expected to be able to seamlessly take over serving files in a disaster recovery scenario, then POSIX.1e ACLs must be used.
- TrueNAS SCALE is configured for a scale-out or clustered volume.
If the SMB dataset is based on a gluster clustered volume, only POSIX.1e permissions are supported in the Angelfish release train. This may be changed with future versions of TrueNAS SCALE.
While POSIX.1e permissions might be an option in some situations, the following considerations may influence an administrator to require NFSv4 ACLs rather than POSIX.1e for an SMB share:
- Lossless migration of Windows-style ACLs
Often migration of data (while preserving permissions) from a Windows server or another server implementing an ACL model richer than POSIX.1e ACLs and storing this information such that it is enforced for all file access is an absolute requirement. In this case, NFSv4 ACLs must be used.
- Compatibility with TrueNAS Core / Enterprise and Free BSD
POSIX.1e ACLs are a Linux-specific ZFS feature. If data is being migrated from non-SCALE TrueNAS, FreeBSD, or other non-Linux ZFS implementations, then the NFSv4 ACL type must be used if permissions are to be preserved.
- Advanced NFSv4 ACL features are a requirement
There are many features in NFSv4 ACLs that meet critical business needs or simplify server administration. Examples include being able to explicitly deny users or groups access to share, and the ability to differentiate between entries that have been inherited and non-inherited.
Morgan Littlewood serves as SVP TrueNAS Product Management for iXsystems. Prior to joining iXsystems, Morgan held executive posts with Cisco and Violin Memory in support of enterprise storage and networking.
Apr2022, Software Magazine